CSRF/XSRF prevention in Restlet
I am using Restlet 2.2.0 and CookieAuthentication with an embedded Jetty plugin. In my application, I have 2 sets of pages. 1) Pages that can be viewed by an unauthenticated user 2) Pages that can be viewed only by an authenticated user In both cases, I want to prevent CSRF/XSRF attack. It seems that by default Restlet applications are vulnerable to CSRF/XSRF unless we do something to prevent this. I could not figure out what to do in my application to prevent such attacks. I have read about many solutions in the internet, but none of them are discussing in reference to Restlet applications. I would appreciate if someone can guide me on how to prevent a Restlet application from CSRF/XSRF attacks. Thanks, Ramesh -- View this message in context: http://restlet-discuss.1400322.n2.nabble.com/CSRF-XSRF-prevention-in-Restlet-tp7579375.html Sent from the Restlet Discuss mailing list archive at Nabble.com. -- http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447dsMessageId=3128028
Re: Transparent reverse proxying using org.restlet.routing.Redirector
Arjohn Kampman-2 wrote
We've updated from restlet 2.1.4 to 2.2.0 now and to our surprise this
fixed the Redirector problems. In fact, Redirector works perfectly
out-of-the-box, including the digest authentication. No subclassing
required. So probably this was a bug in 2.1.4 that has been fixed
somewhere in the 2.2 development.
Thanks for this info, which gives me some confidence that I can get this
working too with some help. In order to set the authentication information
for a MODE_SERVER_OUTBOUND redirection, I added a filter (code shown below),
in front of the Redirector, to set the ChallengeResponse as shown below. But
I could never get this authentication work successfully, since the server
always fails authentication for the passed username/password. I would
appreciate if you could share the details on how you passed the
authentication details to the Redirector.
public class MyRedirectorAuthenticatorFilter extends Filter {
public MyRedirectorAuthenticatorFilter(Context context) {
this.setContext(context);
}
@Override
protected int doHandle(Request request, Response response) {
String username = username;
String password = plaintext password;
request.setProxyChallengeResponse(new ChallengeResponse(
ChallengeScheme.HTTP_DIGEST, username,
password));
return super.doHandle(request, response);
}
}
And in my application, I have,
String target2 = http://localhost:8080/MyWebApp{rr};;
Redirector redirector2 = new Redirector(getContext(), target2,
Redirector.MODE_SERVER_OUTBOUND);
MyRedirectorAuthenticatorFilter myfilter = new
MyRedirectorAuthenticatorFilter(getContext());
myfilter.setNext(redirector2);
router.attach(/myapp, myfilter);
Appreciate your help on this.
--
View this message in context:
http://restlet-discuss.1400322.n2.nabble.com/Transparent-reverse-proxying-using-org-restlet-routing-Redirector-tp7579113p7579179.html
Sent from the Restlet Discuss mailing list archive at Nabble.com.
--
http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447dsMessageId=3078323
Re: How to use CookieAuthenticator?
Thanks Jerome Louvel for your understanding and quick action.
I have been trying last 3 days to get it work. I tried many possible ways to
get it work. But still I didn't success. I guess it would be very simple
implementation in the loginPost server resouce. Can you please throw some
clue to get it work ? I can contribute user guide once I can setup cookie
authentication.
@Post
public Representation post(Representation details) {
Form form = new Form(details);
String username = form.getFirstValue(login);
String password = form.getFirstValue(password);
String targetURI = getQueryValue(targetURI);
..//What todo here ???
}
- Ramesh
--
View this message in context:
http://restlet-discuss.1400322.n2.nabble.com/How-to-use-CookieAuthenticator-tp7578835p7579061.html
Sent from the Restlet Discuss mailing list archive at Nabble.com.
--
http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447dsMessageId=3072932
Re: How to use CookieAuthenticator?
Pieter Martin pietermartin at lavabit.com writes:
Hi,
Took me a while but I did get it working,
Here is what I did.
In my restlet application I set up the CookieAuthenticator as follows
public class CMRestletApplication extends Application {...
Hi Pieter Martin,
Thanks for the example.
I tried to follow it. I am stuck with the /rest/special/loginPost action.
Can you please post the code for the loginPost request ?
I have a
secretverifier implementation which is not called for cookie authenticator.
Thanks,
Ramesh
--
http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447dsMessageId=3072851
Nested object de-serialization in JsonRepresentation not working
I have an Order class and OrderDetail model as described below.
class Order {
long id;
String description;
CollectionOrderDetail details;
public CollectionOrderDetail getDetails() {
return details;
}
other methods
}
class OrderDetail {
long id;
String productId;
String qty;
... methods here...
}
And I have a JSON string of one Order with nested collection of OrderDetail.
And I am trying to de-serialize this json string into Order object and
expecting that the Order object will now contain the OrderDetail collection
also as expected. But it is not working as expected.
Here is the code snippet I have:
JacksonRepresentationOrder jsonRepresentation = new
JacksonRepresentationOrder(representation, Order.class);
System.out.println(jsonRepresentation.getText()); // HERE IS THE CULPRIT
Order order = jsonRepresentation.getObject();
CollectionOrderDetail details = order.getDetails();
1) When I do jsonRepresentation.getObject(), it is throwing an exception.
(java.io.EOFException) java.io.EOFException: No content to map to Object due
to end of input
Why is that jsonRepresentation.getText(), causing the subsequent getObject to
fail?
2) I have an extended Collection class called ForeignCollection, which is
simply a subclass of Collection. In order to use ForeignCollection instead of
Collection, what do I have to do in Restlet? I am getting the following error
when I change Collection to ForeignCollection in the above two classes - Order
and OrderDetail:
(org.codehaus.jackson.map.JsonMappingException)
org.codehaus.jackson.map.JsonMappingException: Can not find a deserializer for
non-concrete Collection type [collection type; ForeignCollection, contains
[simple type, class Order]
I am using Restlet 2.1.2.
--
http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447dsMessageId=3070147
